Malware Analysis Report

2024-12-07 14:04

Sample ID 241112-mqr69a1cqd
Target 6633f19132821190e3fa92befd285f74556e9f8b1f29dc52baeed496a2049835.zip
SHA256 6633f19132821190e3fa92befd285f74556e9f8b1f29dc52baeed496a2049835
Tags
agenttesla collection credential_access discovery keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6633f19132821190e3fa92befd285f74556e9f8b1f29dc52baeed496a2049835

Threat Level: Known bad

The file 6633f19132821190e3fa92befd285f74556e9f8b1f29dc52baeed496a2049835.zip was found to be: Known bad.

Malicious Activity Summary

agenttesla collection credential_access discovery keylogger spyware stealer trojan

Agenttesla family

AgentTesla

AgentTesla payload

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Checks computer location settings

Reads user/profile data of local email clients

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 10:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 10:40

Reported

2024-11-12 10:43

Platform

win7-20240903-en

Max time kernel

136s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 1820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 1820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 1820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 1820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 1820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 1820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 1820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 1820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe

"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neHneiobyhcrJJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4FC5.tmp"

C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe

"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"

Network

N/A

Files

memory/1820-0-0x00000000747DE000-0x00000000747DF000-memory.dmp

memory/1820-1-0x0000000000C40000-0x0000000000D2E000-memory.dmp

memory/1820-2-0x0000000000370000-0x000000000037A000-memory.dmp

memory/1820-3-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/1820-4-0x00000000747DE000-0x00000000747DF000-memory.dmp

memory/1820-5-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/1820-6-0x0000000005260000-0x00000000052D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4FC5.tmp

MD5 b6066ad35d085560b49adc64120cfa0a
SHA1 2149b223a5b6f304144fd9335b3e4abd58d3e4b0
SHA256 a3472e1ca85b9159a512f16b64368d83303e6ceaa96dcd5f839556568a34bb44
SHA512 15822ce540f77cd4ec0bca2343ffee9523d1003fc40a6ac0600f8b884b76336d0e31b8a4b860cac51cd87718ff02baea87f1b3003b4b26e227a04393a5a3f5fd

memory/2804-12-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2804-20-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1820-26-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/2804-25-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2804-28-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/2804-27-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/2804-22-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2804-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2804-17-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2804-16-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2804-14-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2804-29-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/2804-30-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 10:40

Reported

2024-11-12 10:43

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Windows\SysWOW64\schtasks.exe
PID 3372 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Windows\SysWOW64\schtasks.exe
PID 3372 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Windows\SysWOW64\schtasks.exe
PID 3372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 3372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 3372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 3372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 3372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 3372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 3372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
PID 3372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe

"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neHneiobyhcrJJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A04.tmp"

C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe

"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3372-0-0x000000007506E000-0x000000007506F000-memory.dmp

memory/3372-1-0x0000000000180000-0x000000000026E000-memory.dmp

memory/3372-2-0x0000000004C70000-0x0000000004D0C000-memory.dmp

memory/3372-3-0x00000000052C0000-0x0000000005864000-memory.dmp

memory/3372-4-0x0000000004D10000-0x0000000004DA2000-memory.dmp

memory/3372-5-0x0000000004C60000-0x0000000004C6A000-memory.dmp

memory/3372-6-0x0000000004E10000-0x0000000004E66000-memory.dmp

memory/3372-7-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3372-8-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

memory/3372-9-0x000000007506E000-0x000000007506F000-memory.dmp

memory/3372-10-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3372-11-0x0000000005C50000-0x0000000005CC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4A04.tmp

MD5 d855424334a00856c942017f5f2aa68a
SHA1 a77750f366042a168eb422b1e0c912db0049c496
SHA256 cad8d474fd5938bac68c6964d7286b99ad931c86b2be56d81a5d9afdde14bd28
SHA512 7bd51742af5638b1788aee063cd5d4be3214c0afa7614375bc16b5565fc55fed46ed3f3e6d26a0c3b20c22d8f8c2d37c0cd2113cbb874cc482bc911cc455a150

memory/2368-17-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/2368-20-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3372-21-0x0000000075060000-0x0000000075810000-memory.dmp

memory/2368-22-0x0000000075060000-0x0000000075810000-memory.dmp

memory/2368-23-0x0000000005820000-0x0000000005838000-memory.dmp

memory/2368-24-0x0000000006500000-0x0000000006566000-memory.dmp

memory/2368-25-0x0000000075060000-0x0000000075810000-memory.dmp

memory/2368-26-0x0000000075060000-0x0000000075810000-memory.dmp

memory/2368-27-0x00000000066E0000-0x0000000006730000-memory.dmp

memory/2368-28-0x0000000075060000-0x0000000075810000-memory.dmp